ICO uses new powers for the first time and imposes £200,000 fine on nuisance text marketer Help Direct UK Ltd in a case “with no mitigating factors”

What happened: For the first time ICO has exercised increased powers to take enforcement action against nuisance marketers.

The change came with the scrapping in April 2015 of the need in s.55 A (1) of the Data Protection Act 1998 (“DPA”) to show “substantial damage or substantial distress” before fines of up to £500,000 could be imposed for nuisance calls, emails or texts.

The punished company in this case was Swansea-based lead generation company Help Direct UK Ltd (“HDL“). In an April 2015 campaign (“the April 2015 Campaign“) HDL sent thousands of unsolicited marketing text messages without the prior consent of the recipients. The texts offered a variety of services including reclaim of Payment Protection Insurance payments, bank refunds and loans. In just one month these prompted 6,758 complaints.

This followed a similar HDL campaign a year previously (“the February 2014 Campaign”). This triggered 659 complaints and led to ICO serving an Enforcement Notice on HDL in February 2015. The notice required HDL to take steps to ensure compliance with Regulation 22 of the Privacy and Electric Communications (EC Directive) Regulations 2003 (“PECR“).

Regulation 22 of the PECR requires that except in cases where the contact details have been obtained in the course of the sale or negotiations for the sale of a product or service to the message recipient, a person shall neither transmit nor instigate the transmission of unsolicited communications for the purposes of direct marketing by means of electronic mail [or text] unless the recipient has previously notified the sender that he consents for the time being to such communications being sent by or at the instigation of the sender.

Given that the April 2015 Campaign was launched after HDL had received the Enforcement Notice in respect of the February 2014 Campaign, the ICO considered that by sending the April 2015 Campaign HDL had “deliberately contravened” Regulation 22 of the PECR. The regulator also considered that there were “no mitigating factors.”

Still worse, there were aggravating factors including the potential for HDL to gain a commercial advantage over its competitors by generating leads from unlawful practices and HDL’s “blatant disregard” of the rules by ignoring the previous Enforcement Notice.

The April 2015 Campaign messages included:

“Its been signed off, we have 3886.41 in your name for the accident you had, for us to put in your bank now. Just fill out www.accidentinjryclaim.so“.

Due to the above factors, the use of unregistered SIM cards and dongles to avoid detection and the scale of the contravention over such a short space of time, the ICO considered that this was a serious contravention of the PECR that also satisfied the requirement of s.55 A (1) (c) of the DPA that either the contravention was deliberate or the sender knew or ought to have known there was a risk of a contravention yet failed to take reasonable steps to prevent the contravention.

Given that the ICO regarded unsolicited direct marketing texts as “a matter of significant public concern” and considered that this was an opportunity to reinforce the need for businesses to ensure they were compliant PECR when sending unsolicited direct marketing messages, the ICO determined that in all the circumstances a monetary penalty of £200,000 was appropriate.

At the time of writing it is not clear whether HDL has appealed or taken the opportunity to pay the fine by 20 November 2015 and thus benefit from a 20% discount.

Why this matters: spam texts can be reported to the ICO or to a network operator by sending the text, free of charge, to “7726.”

This case indicates that increasing numbers of spam recipients are getting the message that complaining is easy.

It also shows that the ICO stands ready to exercise its increased powers in appropriate cases.